# Use official Python runtime as base image - stable secure version
FROM python:3.11-slim-bookworm AS base

# Security: Set up non-root user first
RUN groupadd -g 1001 appuser && \
    useradd -m -u 1001 -g appuser appuser

# Set environment variables for security and performance
ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONHASHSEED=random \
    PIP_NO_CACHE_DIR=1 \
    PIP_DISABLE_PIP_VERSION_CHECK=1 \
    PIP_DEFAULT_TIMEOUT=100 \
    PIP_ROOT_USER_ACTION=ignore \
    DEBIAN_FRONTEND=noninteractive \
    PYTHONIOENCODING=utf-8

# Install security updates and build dependencies for ARM64
RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y --no-install-recommends \
    ca-certificates \
    gcc \
    python3-dev \
    && apt-get autoremove -y \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /root/.cache \
    && update-ca-certificates

# Create app directory with correct permissions
WORKDIR /app
RUN chown -R appuser:appuser /app

# Copy requirements as root to ensure they're readable
COPY --chown=appuser:appuser requirements.txt .

# Install Python dependencies with security hardening
# Use pip without pinning versions for better ARM64 compatibility
RUN python -m pip install --no-cache-dir --upgrade pip setuptools wheel && \
    python -m pip install --no-cache-dir -r requirements.txt && \
    find /usr/local -type f -name '*.pyc' -delete && \
    find /usr/local -type d -name '__pycache__' -delete

# Copy application code with correct ownership
COPY --chown=appuser:appuser . .

# Create necessary directories with correct permissions
RUN mkdir -p /app/database /app/workflows /app/static /app/src && \
    chown -R appuser:appuser /app

# Security: Switch to non-root user
USER appuser

# Healthcheck
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD python -c "import requests; requests.get('http://localhost:8000/api/stats')" || exit 1

# Expose port (informational)
EXPOSE 8000

# Security: Run with minimal privileges
CMD ["python", "-u", "run.py", "--host", "0.0.0.0", "--port", "8000"]